openid-client 4.7.2 → 4.7.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/lib/client.js +12 -12
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,13 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
|
|
4
4
|
|
|
5
|
+
## [4.7.3](https://github.com/panva/node-openid-client/compare/v4.7.2...v4.7.3) (2021-04-30)
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
### Bug Fixes
|
|
9
|
+
|
|
10
|
+
* **fapi:** validate ID Token's iat regardless of which channel it came from ([b68b9ab](https://github.com/panva/node-openid-client/commit/b68b9ab5af6a85a2f42adf6b782cef7e08378658))
|
|
11
|
+
|
|
5
12
|
## [4.7.2](https://github.com/panva/node-openid-client/compare/v4.7.1...v4.7.2) (2021-04-23)
|
|
6
13
|
|
|
7
14
|
|
package/lib/client.js
CHANGED
|
@@ -724,6 +724,8 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
724
724
|
});
|
|
725
725
|
}
|
|
726
726
|
|
|
727
|
+
const fapi = this.constructor.name === 'FAPIClient';
|
|
728
|
+
|
|
727
729
|
if (returnedBy === 'authorization') {
|
|
728
730
|
if (!payload.at_hash && tokenSet.access_token) {
|
|
729
731
|
throw new RPError({
|
|
@@ -739,19 +741,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
739
741
|
});
|
|
740
742
|
}
|
|
741
743
|
|
|
742
|
-
const fapi = this.constructor.name === 'FAPIClient';
|
|
743
|
-
|
|
744
744
|
if (fapi) {
|
|
745
|
-
if (payload.iat < timestamp - 3600) {
|
|
746
|
-
throw new RPError({
|
|
747
|
-
printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
|
|
748
|
-
now: timestamp,
|
|
749
|
-
tolerance: this[CLOCK_TOLERANCE],
|
|
750
|
-
iat: payload.iat,
|
|
751
|
-
jwt: idToken,
|
|
752
|
-
});
|
|
753
|
-
}
|
|
754
|
-
|
|
755
745
|
if (!payload.s_hash && (tokenSet.state || state)) {
|
|
756
746
|
throw new RPError({
|
|
757
747
|
message: 'missing required property s_hash',
|
|
@@ -773,6 +763,16 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
|
|
|
773
763
|
}
|
|
774
764
|
}
|
|
775
765
|
|
|
766
|
+
if (fapi && payload.iat < timestamp - 3600) {
|
|
767
|
+
throw new RPError({
|
|
768
|
+
printf: ['JWT issued too far in the past, now %i, iat %i', timestamp, payload.iat],
|
|
769
|
+
now: timestamp,
|
|
770
|
+
tolerance: this[CLOCK_TOLERANCE],
|
|
771
|
+
iat: payload.iat,
|
|
772
|
+
jwt: idToken,
|
|
773
|
+
});
|
|
774
|
+
}
|
|
775
|
+
|
|
776
776
|
if (tokenSet.access_token && payload.at_hash !== undefined) {
|
|
777
777
|
try {
|
|
778
778
|
tokenHash.validate({ claim: 'at_hash', source: 'access_token' }, payload.at_hash, tokenSet.access_token, header.alg, key && key.crv);
|